Doing Security Policies Right

To maximize the effectiveness of your business’ security policy, consider these five essential areas during the creation and deployment stages.

Most sophisticated businesses have at least some form of a security policy for their organizations. Unfortunately, all too often, those policies are inadequate, fail to comply with applicable regulatory requirements, are profoundly complex and difficult for the average employee to understand, and almost always aren’t updated in a timely manner.

In this post, I will not focus on the actual content of security policies, but on the overall approach and process of creating and deploying them. It is in the implementation of security policies where many companies fail. That is our focus today: ensuring policies are understandable for the “rank and file” employee and deployment of the policies throughout organizations is done in a thoughtful manner. This will increase the likelihood that security policies will actually provide the protection they are designed to provide.

Here are the top five areas to consider when creating and deploying a security policy:

1. The drafting team

All too often, the team responsible for drafting the security policy is comprised of internal and potentially external information security experts. While those experts may be terrific at identifying and addressing security risks, they are seldom expert drafters of understandable policies. The focus should be on crafting a document that can be easily understood by someone who is not a security professional. That means engaging personnel who are knowledgeable about employee policies (e.g., HR professionals) in the drafting process. Engaging a team comprised of information security experts, HR professionals, and legal and other subject-matter experts is key to developing policies for the average employee to understand.

2. Avoiding overly complex policies

The primary problem with most security policies is that they are so long and frequently so convoluted that the average employee won’t take the time to read them, or even if they invest the time, won’t understand them. Some security policies can be as long as 70 pages with hyperlinked references to more than a dozen ancillary policies. That’s not the type of document we can reasonably expect the average employee to read, let alone understand. I am not saying that such a policy may not be warranted, especially given the complexity of some businesses, but what I am saying is that a lengthy security policy is not what you would want to hand out to every employee.

In cases in which a security policy simply cannot be reduced to a relatively low amount of pages, the answer is to create a secondary document that summarizes the most important points in the primary security policy. It is that secondary policy that would then be circulated to the average employee. The use of secondary summary policies can be very effective at highlighting key points and clarifying to the average employee the risks the business is seeking to address. The level of detail is sufficient to educate the employee regarding their obligations, but not so detailed as to inundate them with too much information. In general, these summary policies can be rapidly created once the underlying, complete policy is drafted.

3. Drafting tips

In any event, whether in the underlying, complete policy or the secondary policy, some basic drafting tips should be followed:

Ensure all key terms are clearly defined.

Avoid interlocking definitions, where one definition ties to another definition, which in turn ties to yet another definition.

Avoid excessive use of acronyms, particularly in any secondary policy.

Consider including summary paragraphs at the top of important sections.

For key concepts, replace lengthy blocks of text with bullet points or checklists.

Always strive to write in plain English.

4. Deployment

Once an appropriate, understandable policy is written, the standard approach is to provide employees with a copy and require them to sign an acknowledgement that they have received and read the policy. While this is helpful from a legal perspective, it unlikely ensures the employee actually understood what was written and almost never results in any increased security protection for the company. This brings us to the topics discussed in my earlier blog entries: conducting employee education regarding security is absolutely critical. In particular, mandatory new hire training, ongoing security awareness training and exit interviews should be the norm. Security bulletins should be circulated on a regular basis to highlight new threats and risks (e.g., the use of wireless networks, removable media and employee camera phones).

A recent survey conducted by an industry trade publication found that 10 percent of companies never conduct training and only eight percent conduct quarterly training. The survey showed most businesses conduct training annually or on a completely ad hoc basis. Something more structured must be done to more effectively manage security.

5. Enforcement

Distribution of the policy and training should be followed by enforcement. This means monitoring employee compliance and, when necessary, taking appropriate action to address infractions. An initial, minor infraction may only warrant remedial education and a warning. Substantial or repeated infractions may mean disciplinary action, up to and including termination. Employees should also understand breaches may subject them to personal civil and criminal liability. The point is not to threaten employees, but to make it clear that infractions will result in very real consequences, including the loss of their job.

By following the suggestions above, businesses can draft more effective and understandable security policies. Without these measures, most policies will go unread, and worse, the policies won’t contribute to overall mitigation of risk in businesses.

[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney.
This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary.
The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites.
In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.